Digiges pointed out that in Germany, IPRED [the EU's Intellectual Property Enforcement Directive] had led to a situation which allowed rightsholders to acquire personal data of the users directly from the providers. All they needed for that was the IP-address of an alleged infringer and an application to a court that would order the provider to hand over the requested information. While this option was originally meant to facilitate the realisation of damages and injunctive relief, the whole process in fact became more and more automated over time. The requests from rightsholders usually comprised between 15 and 3 500 IP-addresses at a time. In one single case in October 2009, the number even reached a breathtaking 11 000. Given the fact that the court proceedings in these cases are always summary or expedited ones, it becomes clear that there is hardly any chance for a judge to thoroughly check the validity and accuracy of the "evidence" presented by the rightsholder.

In its letter, Digiges argued that the situation created by the German implementation of IPRED violates EU law, and asked the European Commission to do something about it. It did: in October 2013, it invited representatives to Brussels to explain their case further. After further correspondence with Digiges, more than one and a half years after the initial letter was sent, the Commission has finally decided to take the first step towards an infringement procedure against Germany:

The Commission officially prompted the German government to comment on the German situation around warning letters within ten weeks.

Heady stuff. EDRi points out that any practical effect of the Commission taking up this case is likely to be very slow to arrive:

The German government is expected to delay their answer to the Commission as long as possible. Once it has arrived, the Commission will have 10 weeks to evaluate the government’s reply. An ensuing judicial infringement procedure might take up to two years and will be repeated if the member state in question fails to comply with the ruling of the court.

So, realistically, we are looking at over four years before Germany actually has to do anything serious like changing its law here. But EDRi tries to look on the bright side, concluding its post as follows:

it is still unclear if and when Germany will change its laws facilitating the abuse of warning letters. But an important step towards the first infringement procedure with a net-political twist has been taken.

from the of-course-not dept

For years we've argued over and over again that stricter enforcement does nothing to slow down or stop infringement. Often it does the opposite -- either by making more people aware of the possibilities to infringe, or driving people further underground. The industry insists that it needs stricter enforcement on a bizarre and widely discredited theory that such strong enforcement is effective as an "education" technique. You hear this all the time from entertainment industry execs. They're so bought into their infatuation with copyright, that they think the only possible reason why people don't respect the law is that they haven't been "educated" enough about it -- and what better way to "educate" than to crack down hard?

Except, it never works. It never has and it never will. Increasing enforcement has never -- not once -- been shown to be an effective long term solution to stopping infringement. It does appear to have short-term effects, as it makes people scatter from actions that are easily trackable, but within a few months (six seems to be about the consensus), file sharing activity tends to find a new path and get back to the same trajectory it was on before.

We've now got some more data to support this. A few years back, Sweden passed a very draconian and aggressive enforcement law known as IPRED (Intellectual Property Rights Enforcement Directive), which had the result of a temporary blip in file sharing that disappeared pretty quickly. And now, a new research report has come out showing that just as many 15 to 25-year-olds share unauthorized content online as did so at the time IPRED became law. In fact, a larger percentage of that age group share "heavily," rather than in smaller amounts.

“We can safely say that the repressive legal developments in this field have very weak support in informal social control mechanisms of society”, says Mans Svensson, Ph.D. in judicial sociology, one of the researchers doing the study. “The social pressure is close to non-existent.”

So why is it that we keep seeing countries pass these kinds of laws? And why do entertainment industry lobbyists keep pushing for them when they're so woefully ineffective in doing anything positive?

from the no-privacy-violations dept

A few years ago, we wrote about how Swedish ISP ePhone was refusing to hand over info on its subscribers who were accused of infringement, arguing that the country's IPRED (IP enforcement) law was in violation of EU law. That case bounced around the Swedish courts before hitting the EU Court of Justice, who recently decided that it is perfectly reasonable for ISPs to be ordered to hand over customer info -- if certain specific conditions are met to keep it in-line with the EU data retention rules.

While perhaps somewhat unfortunate from a privacy perspective, I don't actually find the ruling to be that surprising, and the impact is not all that far-reaching. It's pretty well-established that companies can be compelled to give up private info on people as part of a legal dispute. The larger concern should be over the standard of evidence required before such info is handed over (and also whether or not the accused has the opportunity to anonymously fight the release of info, should he or she believe that the release would be in error). The EU Court of Justice has had some goodrulingslately, pushing back on copyright maximalism, but this particular ruling isn't really all that surprising, given the details. In fact, the full ruling suggests that it was tackling a very narrow question that really changes little. It doesn't even say that such info should always be given up -- just that, if certain conditions are met, it could be legal to require ISPs to hand it over.

from the not-quite-what-we-hoped-for dept

Last week, the EU Rapporteur on ACTA, David Martin, announced he would recommend that the European Parliament reject the treaty. He has now made good on that promise in his report, available in draft form (pdf):

The intended benefits of this international agreement are far outweighed by the potential threats to civil liberties. Given the vagueness of certain aspects of the text and the uncertainty over its interpretation, the European Parliament cannot guarantee adequate protection for citizens' rights in the future under ACTA.

Your rapporteur therefore recommends that the European Parliament declines to give consent to ACTA.

It's interesting to note the main areas of ACTA that he found unsatisfactory:

Unintended consequences of the ACTA text is a serious concern. On individual criminalisation, the definition of "commercial-scale", the role of internet service providers and the possible interruption of the transit of generic medicines, your rapporteur maintains doubts that the ACTA text is as precise as is necessary.

However, Martin does not have a problem with the underlying idea of ACTA:

The problems which ACTA seeks to address are real and growing. Counterfeiting and piracy have increased substantially and continue to do so. The consequences of the growth in these illegal activities range from economic losses to health and safety dangers. The European Union has much to lose without efficient and enforced global coordination in copyright protection.

As a result, he concludes as follows:

Following the expected revision of relevant EU directives, your rapporteur hopes the European Commission will therefore come forward with new proposals for protecting IP.

This seems to be a reference to the imminent revision of IPRED ("intellectual property rights enforcement directive"). The European Commission has already published what it calls its "indicative roadmap" (pdf) for IPRED, so it's clear that it is working on a new proposal. Martin's closing comment suggests that it may get an easier ride through the European Parliament than ACTA, which could encourage the Commission to incorporate some of ACTA's ideas in IPRED 2 -- before moving on to ACTA 2.0.

from the seems-like-a-marketing-opportunity dept

We recently wrote about how Swedish ISP Bahnhof had announced plans to use a VPN to encrypt all traffic running over its network, thus making any log files it was required to store under data retention rules useless. Slashdot points us to the news that ISP Review, over in the UK, has asked a bunch of UK ISPs their thoughts on encrypting all traffic, and questioning whether they would do the same to protect user privacy.

The answers are pretty interesting. None of them seem interested going as far as VPNing all traffic, with some suggesting that it's just too expensive. One ISP, AAISP, says that there's a better solution than VPN, which is to just switch to a carrier grade NAT, for which there are no requirements to log those sessions. IDNet suggested that it might consider making such a service "opt-in," since some people might want it, but it creates other downsides that not all customers appreciate. The one response that struck me as questionable was from Entanet, who seemed to indicate that the only reason to encrypt traffic was if you were doing something wrong:

As a responsible communications provider, we don't advocate any steps to proactively create the ability to avoid the identification of parties who are deliberately committing acts of data piracy.

The focus is not to "avoid identification" of people involved in "piracy," but to provide privacy in general. Given just how many examples we've seen of governments spying on users' data habits with very little legitimate purpose, it seems like an ISP that actually protects its users privacy should be seen as a good thing.

It makes me wonder if we'll start to see more ISPs like Bahnhof pop up, with a focus on promoting the fact that they protect your privacy. In an age when so many people flipped out about Google's WiFi sniffing, you would think that these same people would celebrate ISPs that automatically encrypt traffic, as that would solve such problems. Yet, instead, it seems like the very same people are suggesting that such encryption is only for bad purposes.

Of course, here in the US, there are almost no choices among ISPs, and the ones that are available all have strong and close relationships with the government (hi, AT&T!), so it's not like they have any interest in protecting customer privacy. Though, this also explains why there's nothing serious in any US-based broadband plan around increasing competition. If there were real competition, perhaps some providers would look at better ways to protect user privacy. So, as long as the government can keep competition limited to a few entities who rely on the government, the government knows it can always get the info it wants, no matter how dubious the legal rationale.

from the nicely-done,-us dept

Back in May, we had reported that Swedish police were complaining about the IPRED "anti-piracy" law, noting that all it had really done was driven up the use of encryption, which had made their job more difficult. Separate from that, of course, have been numerous studies showing that the amount of file sharing in Sweden, after an initial dip, quickly surpassed what it had been before and continued to rise. Of course, this was all pretty predictable before IPRED went into effect, but thanks to Wikileaks, not only do we know that the US was heavily involved in pushing efforts like IPRED through, but that Swedish officials made these concerns known to the US, and it appears that the US didn't really care. The specific cable highlighted the concerns of Swedish officials:

Swedish Police Enforcement officials are complaining that implementation of the IPRED has made it more difficult to solve crimes. Swedish Internet Service Providers are saving user information related to IP-numbers for a shorter period of time following the IPRED legislation.

Also, as previously reported (Ref A) the IPRED legislation might be doing little to stop the problem of illegal file-sharing as internet users now are using services which allow them to hide their IP-addresses.

That same cable, by the way, also mentions how Larry Lessig spoke to the Swedish Parliament, and also reported on the latest (at the time) of the Pirate Bay trial.

Separately, I just realized that the cable comes from the US Ambassador to Sweden, Matthew Barzun, who actually probably has a decent grasp on many of these issues, as before he became a diplomat, he worked for many years as an executive at CNET. That said, it's still somewhat disappointing that the US did seem so instrumental in pushing these laws, that even the Swedes don't seem to like, which aren't helping, and are having other unintended consequences. What's really troubling is that the US still seems to support these types of laws elsewhere, even though they're likely to have the same results. Is keeping Hollywood happy really so important?

from the privcy-rights-trump-your-business-model dept

Last year, of course, Sweden passed a strict "anti-piracy" law called IPRED, following a ton of pressure from the US entertainment industry (and US diplomats repeating debunked industry talking points). While some have declared the law a "success," because music sales went up last year, there's little evidence to suggest the law has been useful at all. The amount of unauthorized file sharing did drop initially, but quickly went back up and now is higher than it was before IPRED became law. If the goal was to stop unauthorized file sharing, it failed miserably. As for the increased money in the music industry? A lot of that is actually due to new offerings, such as Spotify.

Of course, many people pointed out that IPRED, beyond being unlikely to work, also created a whole bunch of unintended consequences and problems -- including a dangerous attack on the privacy rights of those in Sweden. And, remember, this is Europe, where privacy rights are an even bigger deal than in the US.

"The rules governing privacy and confidentiality have long existed in the rules that govern our industry and the IPRED law is brand new," says Patrik Hiselius, a lawyer at TeliaSonera. "It is important that there is a principled review of the Code and the Anti-Piracy Agency's interests."

from the privacy-or-copyright? dept

Since the Swedish IPRED law went into effect, basically requiring ISPs to hand over info on those accused of copyright infringement, many ISPs have begun questioning the legality of the law itself -- specifically noting that the law clearly conflicts with privacy laws already in place in Sweden, as well as wider EU privacy rules. Last year, the ISP Ephone appealed a demand for info, and now Swedish telco giant Telia Sonera is doing the same in appealing a demand for info on whoever runs SweTorrents:

In its appeal, the ISP argues that IPRED is in direct violation of the EU's data retention directive, under which the privacy of the SweTorrents owner would be protected....

"The protection of privacy contained in the directive prevents the application of the Swedish IPRED law in this case," TeliaSonera's lawyer Patrick Hiselius said in a comment.

Separately, TeliaSonera also pointed out that the court doesn't seem to understand the most basic technical aspects of BitTorrent, in that it spoke of "the material that is uploaded on the website" in referring to SweTorrents. But SweTorrents is just a tracker, and thus there is no infringing material uploaded to its website. TeliaSonera points out that the demands for information on SweTorrents, then, is "based on faulty technical knowledge."

from the nice-to-see-some-sanity dept

Earlier this year, Sweden put its anti-piracy IPRED law into effect, and earlier this summer we noted that the ISP ePhone was refusing to give up a user's IP address, and appealing a court ruling ordering it to do so. The details of the specific case suggested a unique circumstance, involving a server that supposedly contained infringing material -- but which was never made public. It was always behind a password and thus, Ephone argued, there was no infringement. While the lower court disagreed, the appeals court has overturned the lower ruling, saying that probable cause for infringement had not been shown. Given some of the recent rulings in the Swedish court system on copyright issues, it's nice to see a court not just accept the entertainment industry's claims on some of these things...

from the fighting-IPRED dept

Earlier this year, you may recall that strict new "anti-piracy" legislation went into effect in Sweden, which required ISPs to hand over IP addresses and other info they had on people. Because of this, some ISPs have been proactive in deleting log files. But, a bigger question may be whether or not such rules violate user privacy. It appears that the Swedish courts are going to need to sort this out. The first ISP who was asked for IP address info in Sweden under this new IPRED law, Ephone, is appealing the court order to hand over the data, even though it faces huge fines for not complying. The case is a little different than a typical file sharing case in that it involves an attempt to find out who's running a particular server on which certain content was stored. However, Ephone points out that the server itself required a password to access, and thus the content was not made publicly available -- and thus, was not copyright infringement. Not surprisingly, Ephone's customers have made it clear to the company that they support it in protecting their privacy.